ISO 27001 Annex A.12: Operations Security
The operations clause ensures that your information processing operations are well controlled and well managed.
A.12.1 Operational procedures and responsibilities
The operations and procedures conducted within any data processing group must follow accurate, secure standards with clear responsibilities to produce quality results.
A.12.1.1: Documented operating procedures
All operating procedures used within your company must be documented and passed on to employees and relevant stakeholders to ensure a standard, uniformity in departmental tasks and results . Consistency is crucial for effective operations, business continuity with smooth recovery in the event of a disaster.
Document integrity must be maintained within safe storage boundaries, taking into account changes such as cloud usage for storing and backing up data which help to automate these processes.
A.12.1.2: Change management
Change management procedures assure that all updates to information facilities and processes is relevant, effective, authorised and processed to reduce risks of malicious attacks. Changes could entail revisions, amendments, reprogramming, etc with change management logs reflecting if the systems, networks and applications followed the ISO 27001 Change management standards.
A.12.1.3: Capacity management
Overall and after changes to software and equipment you should monitor your current system’s capacity and performance. Effective capacity management with quality outputs allow for meeting business goals.
Manage the following areas:
(a) data storage,
(b) processing power, and
(c) computational power or bandwidth.
Your capacity management system should be optimised to operate within its capabilities and send signals before space or efficiency is running low.
A.12.1.4: Separation of development, testing and operational environment
Tests, changes and developments in business systems should be separated from live operational environments. (i.e. development, testing, production)
Testing personnel should not access live environments and should not hold the same position as production developers. However, small businesses often find this a challenge to maintain with so few staff so controls about checks being in place to control access, monitor and reduce these risks should be in place.
These procedures are implemented to reduce conflicts of interest and decrease the chances of unauthorised access, changes and data leakage.
A.12.2 Malware protection
A.12.2.1 Controls against malware
Your firm must consider controls to identify, prevent and recover from malware attacks including ransomware. This includes updated antivirus software, download restrictions and limiting the use of removable media to reduce the risks, damage and effects of this kind of security incident.
A.12.3 Backup
A.12.3.1: Information Backup
A backup policy will define how to make copies of data, software and systems in order to ensure that data is not lost due to operational issues, mistakes or security incidents.
Your backup policy defines the rules related to backup and links to the risk assessment (Business impact Analysis) result for your company.
Many companies try and do backups of all data. Which is common practice but special attention must be put into storing high risk/sensitive data.. As backups are copies both backups and the live data should contain the same information in similar formats, and have processes defined to make sure that the information is updated regularly enough.
You should have your back up media and procedures tested at regular intervals to ensure that all your files are indeed being stored and effectively preserved if a backup fails to function, you should record this and indicate the steps you performed to resolve this issue.
Backup logs need to account for the:
- type of data,
- siting of the original copy,
- siting and storage of the new backed-up copies,
- date of copying,(v) and the authorising personnel or asset owner involved in the verification process.
A.12.4 Logging and monitoring
A.12.4.1: Event Logging
Logs are the basis of most audits and management reviews, they offer forensic assistance when evidence is required to resolve a security breach incident. Most policies and company affairs will demand records of all the activities, amendments, faults and exceptions that occur within the scope of the organisation and require a level of logging which will satisfy those requirements.
With logging and monitoring we need to start with an event, take note of its details, log and then analyse our findings.
A.12.4.2: Protection of log information
Logs are critical for audit purposes, investigations and for operations, in addition your logs may contain personally identifiable (PII) data.
Attackers will attempt to delete or modify logs if they can access them to hide their trails and could also try and steal the PI contained in them so all logs need to be adequately protected against tampering and possible data breaches.
Your aim of this control is avoiding unauthorised user access, tampering of logs and information loss while being able to prove the processes followed during your investigation are forensically sound as the logs are protected and accurate..
A.12.4.3: Administrator and operator logs
System administrators typically manage systems and databases within their departments and logs of their activities ae critical to protect for operational and security reasons. Procedures must be implemented to enforce and protect the logging of all administrator and operator activities.
A.12.4.4: Clock synchronisation
All clocks within the system must remain synched to a specific reference time source as this is another critical state of uniformity within the organisation.
In the event of a break in different security, asset logs can be used to compare timestamps and help track the source of the threat.
A.12.5 Operational software control
A.12.5.1: Installation of software on operational systems
All software installations must be closely controlled to maintain the integrity and security of company information as unsupervised downloads can result in malware infections, system corruption or file damage. This is the perfect opportunity for unauthorised persons to swoop in and install covert hacking tools.
Formal change management policy should be applied in this area to ensure that only necessary and verifiable installations are made to any company operating systems and evidence of this process needs to be kept.
A.12.6 Technical vulnerability management
A.12.6.1 Management of technical vulnerabilities
Technical vulnerabilities are at the core of most information security breaches so there must be a continuous process and mechanism identifying technical vulnerabilities
All technical vulnerabilities identified must be documented and brought to the attention of the technical team system who will devise a plan to reduce the probability of these incidents occurring. This should be handled as an urgent matter and your team must strive to rectify it promptly.
Any suggested security patches must first go through testing before being applied to live company equipment and systems as ultimately, quality output is the most important aspect of the mitigation process.
Education is paramount here as users need to know how their actions can impact certain technical vulnerabilities and how they can help mitigate these risks.
A.12.6.2 Restrictions on software installation
In alliance with A.12.5, your organisation should have rules for installing software on company systems and devices to stop unauthorised or inexperienced staff introducing harmful software into workspaces.
All downloads need to be authorised before being allowed, .If you work in a small company and think this will be difficult to achieve then you can create a white list of all acceptable software downloads. Share this information among staff and relevant personnel in terms of awareness of the dangers and the reasons why.
As evidence suggest you should ensure that your company run regular software audits for the auditors.
A.12.7 Information systems and audit considerations
A.12.7.1 Information systems audit controls
Audits are necessary, but all these verifications and system checks can disrupt normal business activities. Your firm should create a formal audit schedule that considers different business activities customarily held on given days
The audit must not negatively impact system operations or slow down business for an extended period. You must define the scope and depth of your audit and plan out the best times to perform these testing. In addition the controls around sharing evidence and how audit conduct their testing must be defined and managed to not impact information security controls.